Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Slow pc and possible fake Adobe Flash updater?


  • This topic is locked This topic is locked
44 replies to this topic

#1 pstgh

pstgh

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:12:39 PM

Posted 27 January 2018 - 04:51 PM

Can someone please check my FRST and Addition logs posted below - I'm experiencing a very slow / bogged down pc and randomly get an Adobe Flash updater screen in this iexplorer (11) pop up- I have purposely not updated it because when that pop up occurs, it is typically from some wacky / random webaddress.  I may need to just update it, but I'd like some confirmation that it is not some virus asking me to further infect my system.  Thank you!

 

wow- that's odd- for some reason, I'm unable to select all / copy / paste into this forum?  Not sure, but am trying to attach the logs as txt files...

 

looks like it worked that way- hope that is ok?

 

thanks!

Attached Files



BC AdBot (Login to Remove)

 


#2 satchfan

satchfan

  • Malware Response Team
  • 2,917 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:05:39 PM

Posted 27 January 2018 - 05:43 PM

Hello pstgh and welcome to Bleeping Computer.

My name is Satchfan and I would be glad to help you with your computer problem.

===================================================

Note: Please run these in the order given in the instructions.

===================================================

Download and run AdwCleaner

Download AdwCleaner from here and save it to your desktop.

  • run AdwCleaner by clicking on Scan
  • when it has finished, leave everything that was found checked, (ticked), then click on Clean
  • if it asks to reboot, allow the reboot
  • on reboot a log will be produced; please attach the content of the log to your next reply.

===================================================

Run Malwarebytes Anti-Malware

Please download Malwarebytes Anti-Malware to your desktop.

  • double-click mbam-setup- mb3-setup-consumer-3.0.4.exe and follow the prompts to install the program
  • at the end, be sure a checkmark is placed next to the following
    • Launch Malwarebytes Anti-Malware
    • a 14 day trial of the Premium features is pre-selected: deselect this if you don’t want it, (it won’t diminish the scanning and removal capabilities of the program).
  • click Finish.
  • on the Dashboard, click Update Now
  • after the update completes, click the Scan Now' button.
  • if an update is available, clicking the Update Now button will update it
  • a Threat Scan will begin.
  • when the scan is complete, if malware has been detected, click Apply Actions to allow MBAM to clean what was found
  • when the prompt to restart the computer appears, click Yes.
  • after the restart once you are back at your desktop, open MBAM once more
  • click on the “History” tab, the “Application Logs”
  • double-click on the scan log which shows the date and time of the scan just performed.
  • click Copy to Clipboard
  • please paste the contents of the clipboard into your reply.

===================================================

Please run FRST again and make sure there is a checkmark next to "Addition.txt" before you hit “Scan”.

Logs to include with next post:

AdwCleaner log
Mbam.txt
New Frst.txt
New Addition.txt


Thanks

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#3 pstgh

pstgh
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:12:39 PM

Posted 27 January 2018 - 07:19 PM

OK - once again, this forum is not allowing me to paste anything into a reply box, so I'm attaching each of the updated logs in the order that you indicated.

 

This pc seems to be functioning much better now, though nothing has been found in the scans.... not sure what that means- the slow-down and adobe flash updater seem to crop up when I'm looking at yahoo email, but I'm not sure.  I'm now beginning to second guess if that updater could be legit?  The reason I don't think it is legit is because it always appears to be from a very strange website address instead of from adobe.

 

Thanks for your review and assistance of these logs.

Attached Files



#4 satchfan

satchfan

  • Malware Response Team
  • 2,917 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:05:39 PM

Posted 28 January 2018 - 09:29 AM

once again, this forum is not allowing me to paste anything into a reply box

I have that problem with righ-clicking and have to use Ctrl+V to post here. This only happens with Firefox for some reason; using IE it's fine. Don't know about Chrome as I don't use it.

 

There doesn’t appear to be any sign of anything amiss in relation to Adobe but a few things to tidy up and then we’ll have another check.

Run Farbar Recovery Scan Tool

  • right-click FRST/FRST64 and select ‘Run as administrator’
  • highlight the contents of the code box below, then press Ctrl+c):
Start::
CloseProcesses:
F:\MotoCastSetup.exe -a
HKU\S-1-5-21-639736396-2184136638-4060683705-1001\...\MountPoints2: {633a55e8-a9b6-11e3-b5b2-9b4fb9ce7f1f} - F:\VZW_Software_upgrade_assistant.exe
HKU\S-1-5-21-639736396-2184136638-4060683705-1001\...\MountPoints2: {7c9d595e-8636-11e4-8a3b-9cb70dd034c2} - F:\VZW_Software_upgrade_assistant.exe
HKU\S-1-5-21-639736396-2184136638-4060683705-1001\...\MountPoints2: {7c9d5baa-8636-11e4-8a3b-9cb70dd034c2} - G:\MotoCastSetup.exe -a
HKU\S-1-5-21-639736396-2184136638-4060683705-1001\...\MountPoints2: {d067762c-d71d-11e2-8f79-9cb70dd034c2} - F:\MotoCastSetup.exe -a
SearchScopes: HKU\S-1-5-21-639736396-2184136638-4060683705-1001 -> {3B3F843B-DDFD-4F73-B3DF-FD10A759D862} URL =
SearchScopes: HKU\S-1-5-21-639736396-2184136638-4060683705-1001 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL =
SearchScopes: HKU\S-1-5-21-639736396-2184136638-4060683705-1001 -> {FE5D4910-6E82-4117-B3F2-F3E5B6F731B8} URL =
FF Plugin-x32: @google.com/tvswebplugin -> C:\Windows\system32\nptvswebplugin.dll [No File]
CHR Extension: (Chrome Web Store Payments) - C:\Users\HagerHouse\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-08-22]
CHR Extension: (Chrome Media Router) - C:\Users\HagerHouse\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-12-09]
CHR Extension: (Chrome Web Store Payments) - C:\Users\HagerHouse\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-08-24]
CHR Extension: (Chrome Media Router) - C:\Users\HagerHouse\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-12-10]
2018-01-03 09:37 - 2018-01-03 09:37 - 000000000 ____D C:\Users\HagerHouse\AppData\Local\{E0D3E7F6-11DE-4192-A906-1DC4EC56CC6A}
EmptyTemp:
End::

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • in the FRST window, press the ‘Fix’ button once and wait
  • please reboot the computer if requested
  • it will create a log on your desktop, (Fixlog.txt); please post it to your reply.

================================================

Run Zemana AntiMalware

Download Zemana AntiMalware:

  • open the program and without changing any options, press Scan
  • after the scan is finished, if threats are detected press Next to remove them

Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please restart your computer manually.

  • open Zemana AntiMalware again and locate the report
  • please paste the contents into your reply.

Logs to include with next post:

Fixlog.txt
Zemana AntiMalware report


Thanks

Satchfan

 

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#5 pstgh

pstgh
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:12:39 PM

Posted 28 January 2018 - 12:45 PM

OK- I've now done those next two steps and am posting the Fixlog and the report from Zemana (which shows I'm clean) below.  Meanwhile, in the midst of doing these tasks, this random adobe updater popped up again, so I copied the strange website address here for your review...

 

https://ag6oohitpulse.net/1619273174912/6f0ab3debdcd5d9f79e372d23802a05d/946dd444eac2c2474a7aa9749e9801ef.html

 

Here are the two logs:

 

Fixlog:

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 27.01.2018
Ran by HagerHouse (28-01-2018 10:04:58) Run:2
Running from C:\Users\HagerHouse\Desktop\PC Fix Stuff
Loaded Profiles: HagerHouse & UpdatusUser (Available Profiles: HagerHouse & UpdatusUser & Philip Hager)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
CloseProcesses:
F:\MotoCastSetup.exe -a
HKU\S-1-5-21-639736396-2184136638-4060683705-1001\...\MountPoints2: {633a55e8-a9b6-11e3-b5b2-9b4fb9ce7f1f} - F:\VZW_Software_upgrade_assistant.exe
HKU\S-1-5-21-639736396-2184136638-4060683705-1001\...\MountPoints2: {7c9d595e-8636-11e4-8a3b-9cb70dd034c2} - F:\VZW_Software_upgrade_assistant.exe
HKU\S-1-5-21-639736396-2184136638-4060683705-1001\...\MountPoints2: {7c9d5baa-8636-11e4-8a3b-9cb70dd034c2} - G:\MotoCastSetup.exe -a
HKU\S-1-5-21-639736396-2184136638-4060683705-1001\...\MountPoints2: {d067762c-d71d-11e2-8f79-9cb70dd034c2} -
F:\MotoCastSetup.exe -a
SearchScopes: HKU\S-1-5-21-639736396-2184136638-4060683705-1001 -> {3B3F843B-DDFD-4F73-B3DF-FD10A759D862} URL =
SearchScopes: HKU\S-1-5-21-639736396-2184136638-4060683705-1001 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL =
SearchScopes: HKU\S-1-5-21-639736396-2184136638-4060683705-1001 -> {FE5D4910-6E82-4117-B3F2-F3E5B6F731B8} URL =
FF Plugin-x32: @google.com/tvswebplugin -> C:\Windows\system32\nptvswebplugin.dll [No File]
CHR Extension: (Chrome Web Store Payments) - C:\Users\HagerHouse\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-08-22]
CHR Extension: (Chrome Media Router) - C:\Users\HagerHouse\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-12-09]
CHR Extension: (Chrome Web Store Payments) - C:\Users\HagerHouse\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-08-24]
CHR Extension: (Chrome
Media Router) - C:\Users\HagerHouse\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-12-10]
2018-01-03 09:37 - 2018-01-03 09:37 - 000000000 ____D C:\Users\HagerHouse\AppData\Local\{E0D3E7F6-11DE-4192-A906-1DC4EC56CC6A}
EmptyTemp:
 
*****************
 
Processes closed successfully.
"F:\MotoCastSetup.exe -a" => not found
"HKU\S-1-5-21-639736396-2184136638-4060683705-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{633a55e8-a9b6-11e3-b5b2-9b4fb9ce7f1f}" => removed successfully
HKLM\Software\Classes\CLSID\{633a55e8-a9b6-11e3-b5b2-9b4fb9ce7f1f} => key not found
"HKU\S-1-5-21-639736396-2184136638-4060683705-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7c9d595e-8636-11e4-8a3b-9cb70dd034c2}" => removed successfully
HKLM\Software\Classes\CLSID\{7c9d595e-8636-11e4-8a3b-9cb70dd034c2} => key not found
"HKU\S-1-5-21-639736396-2184136638-4060683705-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7c9d5baa-8636-11e4-8a3b-9cb70dd034c2}" => removed successfully
HKLM\Software\Classes\CLSID\{7c9d5baa-8636-11e4-8a3b-9cb70dd034c2} => key not found
"HKU\S-1-5-21-639736396-2184136638-4060683705-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d067762c-d71d-11e2-8f79-9cb70dd034c2}" => removed successfully
HKLM\Software\Classes\CLSID\{d067762c-d71d-11e2-8f79-9cb70dd034c2} => key not found
"F:\MotoCastSetup.exe -a" => not found
"HKU\S-1-5-21-639736396-2184136638-4060683705-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{3B3F843B-DDFD-4F73-B3DF-FD10A759D862}" => removed successfully
HKLM\Software\Classes\CLSID\{3B3F843B-DDFD-4F73-B3DF-FD10A759D862} => key not found
"HKU\S-1-5-21-639736396-2184136638-4060683705-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D944BB61-2E34-4DBF-A683-47E505C587DC}" => removed successfully
HKLM\Software\Classes\CLSID\{D944BB61-2E34-4DBF-A683-47E505C587DC} => key not found
"HKU\S-1-5-21-639736396-2184136638-4060683705-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{FE5D4910-6E82-4117-B3F2-F3E5B6F731B8}" => removed successfully
HKLM\Software\Classes\CLSID\{FE5D4910-6E82-4117-B3F2-F3E5B6F731B8} => key not found
"HKLM\Software\Wow6432Node\MozillaPlugins\@google.com/tvswebplugin" => removed successfully
CHR Extension: (Chrome Web Store Payments) - C:\Users\HagerHouse\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-08-22] => Error: No automatic fix found for this entry.
CHR Extension: (Chrome Media Router) - C:\Users\HagerHouse\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-12-09] => Error: No automatic fix found for this entry.
CHR Extension: (Chrome Web Store Payments) - C:\Users\HagerHouse\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-08-24] => Error: No automatic fix found for this entry.
CHR Extension: (Chrome => Error: No automatic fix found for this entry.
Media Router) - C:\Users\HagerHouse\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-12-10] => Error: No automatic fix found for this entry.
C:\Users\HagerHouse\AppData\Local\{E0D3E7F6-11DE-4192-A906-1DC4EC56CC6A} => moved successfully
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 68236573 B
Java, Flash, Steam htmlcache => 1135 B
Windows/system/drivers => 27624913 B
Edge => 0 B
Chrome => 1452110920 B
Firefox => 0 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 128 B
systemprofile32 => 128 B
LocalService => 0 B
NetworkService => 13887478 B
HagerHouse => 1038229688 B
UpdatusUser => 0 B
Philip Hager => 19473288 B
 
RecycleBin => 0 B
EmptyTemp: => 2.4 GB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 10:08:45 ====
 
Zemana report:
 
Zemana AntiMalware 2.74.2.150 (Installed)
 
-------------------------------------------------------
Scan Result            : Completed
Scan Date              : 2018/1/28
Operating System       : Windows 7 64-bit
Processor              : 8X Intel® Core™ i7-3770S CPU @ 3.10GHz
BIOS Mode              : Legacy
CUID                   : 12E27F1795AD5BB059CB76
Scan Type              : System Scan
Duration               : 33m 17s
Scanned Objects        : 353130
Detected Objects       : 0
Excluded Objects       : 0
Read Level             : SCSI
Auto Upload            : Enabled
Detect All Extensions  : Disabled
Scan Documents         : Disabled
Domain Info            : HAGERNET,0,2
 
Detected Objects
-------------------------------------------------------
 
No threats detected
 


#6 satchfan

satchfan

  • Malware Response Team
  • 2,917 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:05:39 PM

Posted 28 January 2018 - 05:23 PM

All logs have come back 'clean' and there is no sign of malware on your computer.

 

The link you gave, (although I didn't visit it), seems to be related to SEO, (Search Engine Optimisation). If this is a work-based computer that could be the reason for the pop-ups and you should check with them but, as far as this forum is concerned, your computer is clean.

 

Please let me know if you're happy to close this or if you have any other concerns.

 

Satchfan


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#7 pstgh

pstgh
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:12:39 PM

Posted 28 January 2018 - 05:35 PM

Thanks for the guidance and the review.  I appreciate your help.

 

I work for myself, and I do use this pc for some work related tasks, but it's not owned by a large corporation with an IT department or whatever- I'm not sure what Search Engine Optimization is but I'm wondering if you think I should go ahead and approve that flash update upon the next time I get that popup?

 

Thanks again!



#8 satchfan

satchfan

  • Malware Response Team
  • 2,917 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:05:39 PM

Posted 29 January 2018 - 03:01 AM

I'm wondering if you think I should go ahead and approve that flash update upon the next time I get that popup

Call me paranoid but I personally don't ever allow Flash to update that way. I go to here to install the latest update to keep it current, (uncheck the Chrome offer if it’s not something you want).


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#9 pstgh

pstgh
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:12:39 PM

Posted 29 January 2018 - 11:47 AM

Thanks again for your help!

 

This computer seems to be running better, and I'm glad that it totally checks out with those scan programs, *but* interestingly, I updated flash in my IE browser with that link you provided in your last message and all went fine..... and then, the next day, I got another of these 'fake' adobe flash update requests with a different, randomly generated (?) website addresses.  Since one option was to 'save' the update file instead of running it, and since I knew it had to be fake because I had just updated flash with that legitimate link that you provided, I clicked on 'save' and immediately my MS Security Essentials fired up and said that a threat was identified and that file was deleted.

 

So now I need to ask you- I understand there is no existing malware operating on this pc, but someplace hidden deep in my registry is a call out to this fake adobe flash update... is there any way to identify it and hopefully, eliminate it??  I guess it's possible that some page I frequent (e.g. yahoo.com/mail) has a script which loads that popup and it's not actually buried in my registry, but I find that more difficult to believe...

 

Thanks.



#10 satchfan

satchfan

  • Malware Response Team
  • 2,917 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:05:39 PM

Posted 29 January 2018 - 04:20 PM

I doubt it is a 'fake ' Adobe update but out of interest, which browser are you using when you get this?


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#11 pstgh

pstgh
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:12:39 PM

Posted 29 January 2018 - 04:30 PM

Always MS IExplorer 11



#12 satchfan

satchfan

  • Malware Response Team
  • 2,917 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:05:39 PM

Posted 29 January 2018 - 04:51 PM

I also use IE and had the same problem.

 

With IE open go to Tools, Internet Options, Programs, Manage Addons. Right-click on the any Adobe Flash entry then choose Disable.

 

I think it may need a day or two to see if that has resolved the problem so I'll keep this open for the time being but please get back with any updates.

 

Cheers


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#13 pstgh

pstgh
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:12:39 PM

Posted 30 January 2018 - 02:36 PM

Wow- so far- that seems to have really helped!  Thanks!! 

 

Let's do give it another couple of days, but I think that might have done it!

 

Can you tell me more about what those addons are and/or where they came from / how I might have picked them up??

 

Thanks



#14 satchfan

satchfan

  • Malware Response Team
  • 2,917 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:05:39 PM

Posted 30 January 2018 - 05:36 PM

Can you tell me more about what those addons are and/or where they came from / how I might have picked them up??

I'm not a reliable source to answer that kind of question but as far as I'm aware, Adobe Flash Player for Internet Explorer is part of Windows 8 and above but in your case, (Windows 7), it has been installed and, once installed, has to be enabled/disabled.

I'll keep this open for 48 hours for you to reply with an update.

Satchfan


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#15 pstgh

pstgh
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:12:39 PM

Posted 30 January 2018 - 09:01 PM

Darn it!!  Had it happen again!!  ...and again, when I clicked 'Save' the file instead of 'Run' my MS Security Essentials program immediately recognized it as a threat and deleted it.

 

I looked in the Security Essentials history log and found that it had detected something called Trojan:JS/Flafisi.A  and it clearly identified the file it was trying to get me to run as Flashupdate.hta

 

It looks exactly like the Adobe flash update request, but the website, this time from https://caeb7arabstoday.com is clearly not Adobe.

 

Any thoughts??  Obviously, I have yet to get to the bottom of this virus.

 

Thanks






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users